Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: def-2000-04: Bea WebLogic Server dotdot-overflow
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Tue Dec 19 2000 - 06:34:02 CST

                   Defcom Labs Advisory def-2000-04

                       Bea WebLogic Server dotdot-overflow

Author: Peter Gründl <peter.grundldefcom.com>
Release Date: 2000-12-19
------------------------=[Brief Description]=-------------------------
It is possible to trigger a race condition that can result in the
stack and registers being partially overwritten.

------------------------=[Affected Systems]=--------------------------
Bea WebLogic Server for Windows NT prior to V5.1.0 - Service Pack 7

----------------------=[Detailed Description]=------------------------
WebLogic Server has a specific handler for URL requests that start
with "dotdot". By sending a large URL (..aaaaaaaaaaaaaaaaaaxlots more)
and disconnecting, it is possible to trigger a buffer overflow. The
result can be anywhere from crashing the web server, to executing
arbitrary code on the server with the privileges of the web server
(which usually means LocalSystem).

Upgrade to Bea Weblogic 5.1.0, Service Pack 7:

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 20th of
November, and notification of a fix was received by Defcom on the 19th
of December.

             This release was brought to you by Defcom Labs

               labsdefcom.com www.defcom.com